CN110036385B

CN110036385B - Hybrid mode cloud in-house deployment (ON-pre) secure communication

Info

Publication number: CN110036385B
Application number: CN201780074608.0A
Authority: CN
Inventors: M.瑞金
Original assignee: Carrier Corp
Current assignee: Carrier Corp
Priority date: 2016-12-02
Filing date: 2017-12-01
Publication date: 2023-08-08
Anticipated expiration: 2037-12-01
Also published as: US11323427B2; WO2018102692A1; US20200228350A1; CN110036385A

Abstract

A method and apparatus for mixed mode cloud/on-premise secure communications. The method includes debugging an in-house deployment device and connecting to a web address through a client web browser using a name and login credentials of a user; and verifying login credentials of a user at a cloud-based service, and establishing communication with the client web browser if the login credentials are authenticated, and then allowing communication between the client web browser and the cloud-based service.

Description

Hybrid mode cloud in-house deployment (ON-pre) secure communication

Background

The subject matter disclosed herein relates generally to security and access control solutions, video processing, and cloud computing, and more particularly to mixed mode cloud/on-premise (on-premise) secure communications applied to access control and security management solutions.

An in-house deployment software delivery model is a software deployment model that involves enterprises purchasing hardware such as servers, investing funds in software licenses, investing in specialized IT personnel for maintenance and support, and the like. An in-house deployment is a traditional software deployment model in which an enterprise deploys applications within an organization, such as an in-house deployment of an enterprise. Initial investment in the on-premise computing infrastructure is typically high, but may result in long term returns. One advantage of the in-house deployment model is that the enterprise can control the systems and data. An on-premise platform is considered safer than a cloud platform because enterprise data is stored and processed internally (e.g., within an on-premise network).

Cloud computing is a widely adopted and evolving concept. In general, cloud computing refers to a model for enabling universal, convenient, and on-demand access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, functions, etc.) over the internet. There are many benefits associated with cloud computing for both the provider of computing resources and its customers. For example, a customer may develop and deploy various business applications on a cloud infrastructure supplied by a cloud provider, eliminating the cost and complexity of purchasing and managing the hardware and software required to execute the applications. The customer need not manage or control the underlying cloud infrastructure, including for example, networks, servers, operating systems, storage devices, etc., but may still control deployed applications. On the other hand, the computing resources of the provider may be used to provide different physical and virtual resources for multiple clients that are dynamically allocated and reallocated according to the load of the clients. Further, cloud resources and applications may be accessed through the internet.

In general, security and access control solutions are software solutions implemented as installed and maintained on locally, internally deployed servers and computers. These solutions can be expensive for small businesses to acquire and maintain. For large enterprises, the on-premise solutions required for maintenance can be overly cumbersome. It is therefore desirable to provide a method and system that can help alleviate some of the costs associated with in-house deployment security solutions by using, for example, some form of cloud computing.

Disclosure of Invention

According to one embodiment, in addition to or as an alternative to one or more of the features described above, further embodiments of the method include a method for mixed mode cloud/on-premise secure communications. The method comprises the following steps: the method includes debugging the in-deployment device, connecting to the web address through the client web browser using the first name and the login credentials of the user, and verifying the login credentials of the user at the cloud-based service, and if the login credentials are authenticated, establishing communication with the client web browser and allowing communication between the client web browser and the cloud-based service.

In addition to, or as an alternative to, one or more of the features described above, further embodiments may include: the debugging includes generating a set of encryption keys, connecting from a first network address to the cloud-based service using a first name and transmitting in-deployment device information to the cloud-based service, and generating a unique name/pseudonym for the in-deployment device at the cloud-based service. The debugging further comprises: resolving the unique name/pseudonym to a network address of the cloud-based service using an accessible DNS service and transmitting the unique name to an on-premise device, generating a Certificate Signing Request (CSR) using the on-premise device based on the unique name/pseudonym of the encryption key and transmitting the CSR to the cloud-based service, requesting the digital certificate using the CSR from a trusted Certificate Authority (CA), and receiving the digital certificate once issued by the CA and transmitting the digital certificate to the on-premise device and configuring the on-premise device to use the digital certificate.

In addition to, or as an alternative to, one or more of the features described above, further embodiments may include: attempting to connect to the on-premise device using the client web browser to fulfill the user request, cryptographically transmitting information associated with the user related to the on-premise device from the cloud-based service to the client web browser, and redirecting the client web browser to a network address associated with the unique name/pseudonym employed during debugging. Further, additional embodiments may further include: attempting to connect to a unique name/pseudonym using a client web browser and if the IP address of the in-house deployment device is unknown, performing domain name resolution (DNS) to resolve and identify the IP address, connecting to the resolved IP address using the client browser and transmitting information associated with a user related to the in-house deployment device, transmitting a digital certificate issued to the in-house deployment device during debugging to the client web browser, and cryptographically verifying the digital certificate using the client web browser; and if the data/claim/rights permit, cryptographically verifying the data/claim/rights from information associated with the user associated with the on-premise device and permitting the user request.

In addition to or as an alternative to one or more of the features described above, further embodiments may include storing, in the client browser, information associated with a user related to the in-deployment device.

In addition to or as an alternative to one or more of the features described above, further embodiments may include the in-deployment device requesting information associated with a user related to the in-deployment device from a client browser.

In addition to or as an alternative to one or more of the features described above, further embodiments may include that the information associated with the user related to the in-deployment device includes at least one of: rights, security claims, license characteristics information, user name, expiration date, and server data.

In addition to or as an alternative to one or more of the features described above, further embodiments may include providing the information as a URL parameter or HTTP header.

In addition to or as an alternative to one or more of the features described above, further embodiments may include generating a result based on the user request.

In addition to or as an alternative to one or more of the features described above, additional embodiments may include storing the results in a client browser. Further, the results are even stored as HTTP cookies.

In addition to or as an alternative to one or more of the features described above, further embodiments may include the in-deployment device being part of at least one of: a security system, an access control system, a fire suppression system, or an HVAC system or an elevator control system.

In addition to or as an alternative to one or more of the features described above, further embodiments may include pre-programming the first name into the in-deployment device.

In addition to or as an alternative to one or more of the features described above, further embodiments may include the certification authority being a separate third party.

In addition to, or as an alternative to, one or more of the features described above, further embodiments may include the unique name being unique to the service provider.

A system for mixed mode cloud/on-premise secure communications is also described herein in embodiments. The system includes an in-premise device that is commissioned to provide secure communication with a cloud-based system; wherein the debugging comprises: the in-deployment device generates a set of encryption keys, the cloud-based service connects to the first network address using the first name, and transmits in-deployment device information to the cloud-based service, the cloud-based service generates a unique name for the in-deployment device, and the publicly available DNS resolves the unique name/pseudonym to the network address of the cloud-based service and transmits the unique name to the in-deployment device. The system also includes an in-premise device to generate a Certificate Signing Request (CSR) based on the unique name/pseudonym of the encryption key and transmit the CSR to a cloud-based service, the cloud-based service to request the digital certificate using the CSR from the trusted Certificate Authority (CA), and to receive the digital certificate once the CA issues the digital certificate and transmit the digital certificate to the in-premise device, and the in-premise device is configured to use the digital certificate. The system further includes a client web browser connecting to the web address using the first name and login credentials of the user; and the cloud-based service verifying the login credentials of the user and establishing communication with the client web browser if the login credentials are authenticated and allowing communication between the client web browser and the cloud-based service.

In addition to or as an alternative to one or more of the features described above, further embodiments may include the client web browser attempting to connect to the in-deployment device to fulfill the user request, the cloud-based service transmitting information associated with the user related to the in-deployment device to the client web browser in an encrypted manner; and the client web browser is redirected to the network address associated with the unique name/pseudonym employed during debugging. Further, additional embodiments may include the client web browser attempting to connect to the unique name/pseudonym and performing domain name resolution (DNS) to resolve and identify the IP address if the IP address of the in-premise device is unknown, connecting to the resolved IP address using the client browser and transmitting information associated with the user related to the in-premise device, the in-premise device transmitting the digital certificate issued during commissioning to the client web browser and cryptographically verifying the digital certificate using the client web browser; if the data/claim/rights allow, the on-premise device cryptographically verifies the data/claim/rights from information associated with the user associated with the on-premise device and allows the user to request.

In addition to or as an alternative to one or more of the features described above, additional embodiments may include the client browser storing information associated with the user related to the on-premise.

In addition to or as an alternative to one or more of the features described above, further embodiments may include that the information associated with the user related to the in-deployment device includes at least one of: rights, security claims, and license features information, user name, expiration date, and server data.

In addition to or as an alternative to one or more of the features described above, further embodiments may include the on-premise device generating a result based on the user request.

In addition to or as an alternative to one or more of the features described above, further embodiments may include the client browser storing the results as an HTTP cookie.

In yet another embodiment, a computer program product for configuring mixed-mode cloud/on-premise secure communications is described herein, the computer program product comprising a computer-readable storage medium having program instructions embodied therewith, the program instructions being executable by one or more processors to cause the processors to implement the methods described herein.

The foregoing features and elements may be combined in various combinations without being exclusive unless explicitly indicated otherwise. These features and elements, as well as the operation thereof, will become more apparent from the following description and drawings. It is to be understood, however, that the following description and drawings are intended to be illustrative and explanatory only and are not restrictive in nature.

Brief description of the drawings

The foregoing and other features and advantages of the disclosure are apparent from the following detailed description taken in conjunction with the accompanying drawings in which:

FIG. 1 depicts a cloud computing environment in accordance with one or more exemplary embodiments;

FIG. 2 depicts an abstract model layer in accordance with one or more exemplary embodiments;

FIG. 3 is a block diagram illustrating one example of a processing system for practicing the teachings herein in accordance with one or more exemplary embodiments;

FIG. 4 illustrates a block diagram of a cloud-based communication process in accordance with one or more exemplary embodiments;

FIG. 5 illustrates a flowchart of a method for commissioning an on-premise device for mixed-mode cloud/on-premise communication in accordance with one or more example embodiments;

FIG. 6 illustrates a flow diagram of a method of mixed mode cloud/on-premise communication in accordance with one or more exemplary embodiments; and is also provided with

Fig. 7 illustrates a flow diagram of a method of mixed mode cloud/on-premise communication in accordance with one or more exemplary embodiments.

Detailed Description

The enterprise may choose to run the application entirely internally, or entirely on a cloud platform. However, both cloud and on-premise platforms have advantages and disadvantages. Problems associated with the security and compliance of cloud platforms may be a disadvantage. On the other hand, for an on-premise platform, cost may be a disadvantage. As the initial investment in on-premise infrastructure may be high, an enterprise that has invested in an on-premise platform may prefer to gradually employ a cloud platform (if available) in order to maximize rewards and protect its initial investment. For flexibility and lower implementation costs, while having the functionality and security of an in-premise application, an enterprise may need a set of cloud-based security management applications. Thus, hybrid software delivery models may bring more value to these enterprises.

The hybrid delivery model is a hybrid model between an on-premise application and a cloud-based application (e.g., on-demand). For example, where an application operates on an on-premise platform with sensitive data, it may be undesirable to store such data on a cloud platform and access through the internet. In this case, hybrid software delivery may be used where applications running on the on-premise platform may use cloud services. Applications operable to be deployed and run on an on-premise platform and a cloud platform, with little or no modification to their original source code, are referred to herein as hybrid applications. For example, a hybrid application may be deployed and/or run on an on-premise platform and use services or other resources provided by a cloud platform (e.g., public or virtual private cloud). Further, the hybrid application may be deployed and/or run on a cloud platform and use resources of an in-deployment platform such as a backend system. Another situation where a hybrid software delivery model may be suitable is where an enterprise prefers to run its existing in-premise applications on a cloud platform. For example, business applications running and operating internally at a point may be extended or migrated to a cloud platform, e.g., to use the functionality and modern development environments and models provided by the cloud platform. However, to enable an internally operating application to operate on the cloud, the enterprise may have to bear costs commensurate with developing a new application, resulting in poorer protection of the on-premise investment. Furthermore, when an application migrates to a cloud platform, it may be necessary to maintain two versions of the application for the in-deployment platform and the cloud platform, thereby increasing the maintenance costs of the application.

Enterprises applying on-premise or cloud software delivery models may often have to strike a balance between security and cost. Communication between the client and the application and the in-house deployment and cloud devices must be protected. Communications are typically secured using standards-based methods, such as Transport Layer Security (TLS). However, TLS applications are hampered by more difficult and cumbersome implementations. For example, for TLS, there is no simple method of obtaining a signed certificate, and the lack of consistent naming of network hosts has to be in significant coordination with internal Information Technology (IT) personnel. In addition to transportation security, providers that provide in-house deployment and hybrid applications for customer enterprise solutions also need tamper resistant permissions, which are difficult to achieve with hardware or virtual servers under customer control.

Thus, it would be advantageous for an enterprise for a user to seamlessly access cloud-based and on-premise applications in a secure manner after first authenticating for the cloud-based applications. To achieve such an approach, disclosed herein in embodiments is a hybrid solution that provides a cloud-hosted application with functionality that provides: a starter user interface; user and authority management, network name resolution (domain name system resolution (DNS)) of the on-premise servers and modules; web-based single sign-on/federated identity providers; issuing a digital certificate; license management. The hybrid solution would also provide an in-house deployment "gateway" application whose function is to provide the ability to register unique names, capabilities, and network addresses using the cloud application described above, the ability to verify credential information provided by the cloud application.

The embodiments described herein are directed access control security management solutions implemented in hybrid cloud/on-premise solutions with secure communications. One or more embodiments disclosed herein provide a simplified scheme for ensuring secure communication between an on-premise device and applications and cloud-based applications without significant impact or on-premise configuration. Advantageously, in one or more embodiments, the described methods enable secure communications with tamper resistant permissions, centralized authorization management, and multi-tenants, and enable a progressive path to a full cloud hosting solution, and also avoid the need for secure channels and dedicated interfaces and programming.

In accordance with one or more embodiments, implementing a cloud computing hybrid mode cloud/on-premise secure communication solution may provide advantages such as secure communication, network hostname resolution, network transport layer security, authentication authorization, and permissions. It should be understood that while embodiments are described herein with reference to security and access control solutions, these descriptions are for illustration only and should not be construed as limiting. The described embodiments can be readily applied to any application that requires a hybrid cloud/on-premise solution and secure communications would be advantageous. For example, embodiments disclosed herein may be equally applicable to application safety, access control solutions, fire suppression systems, heating, ventilation, and cooling (HVAC), and elevator control systems.

It is to be understood in advance that although the present disclosure includes particular embodiments on cloud computing, implementations of the teachings described herein are not limited to cloud computing environments. Rather, the embodiments can be implemented in connection with any other type of computing environment, now known or later developed.

Cloud computing is a service delivery model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, network bandwidth, servers, processes, memory, storage, applications, virtual machines, and services) that can be quickly configured and released with minimal administrative effort or interaction with service providers. This cloud model may include at least five features, at least three service models, and at least four deployment models.

The characteristics are as follows:

on-demand self-service: cloud users can unilaterally provide computing capabilities (e.g., server time and network storage) automatically as needed without manual interaction with the service provider.

Wide network access: performance is available over a network and accessed through standard mechanisms that facilitate the use of heterogeneous thin or thick client platforms (e.g., mobile phones, notebook computers, and PDAs).

And (3) a resource pool: the computing resources of the provider are aggregated together to provide services to multiple users using a multi-tenant model, where different physical and virtual resources are dynamically allocated and reallocated according to demand. Location independence is present because users typically do not control or know the exact location of the provided resources, but may be able to specify the location of a higher level of abstraction (e.g., country, state, or data center).

Quick elasticity: performance can be provided quickly and flexibly, and in some cases can be automatically quickly expanded and quickly released to quickly expand. The performance that can be provided generally appears to the user to be unlimited and can be purchased in any number at any time.

Measurement service: cloud systems automatically control and optimize resource usage by leveraging metering performance at some level of abstraction appropriate to the type of service (e.g., storage, processing, bandwidth, and active user accounts). Resource usage may be monitored, controlled, and reported to provide transparency to providers and users of the services used.

The service model is as follows:

software as a service (SaaS): the capabilities provided to the user are applications using providers running on the cloud infrastructure. These applications may be accessed from various client devices through a thin client interface such as a web browser (e.g., web-based email). The user does not manage or control underlying cloud infrastructure, including network, server, operating system, storage, and even individual application capabilities, with the possible exception of limited settings for user-specific application configurations.

Platform as a service (PaaS): the performance provided for the user is to deploy user-created or acquired applications created using provider-supported programming languages and tools onto the cloud infrastructure. The user does not manage or control the underlying cloud infrastructure (including network, server, operating system, or storage), but can control the deployed applications and possibly the application hosting environment configuration.

Infrastructure as a service (IaaS): the capabilities provided for the user are the provision of processing, storage, networking, and other basic computing resources, where the user can deploy and run any software, which can include operating systems and applications. The user does not manage or control the underlying cloud infrastructure, but controls the operating system, storage, deployed applications, and possibly has limited control over the selection of networking components (e.g., host firewalls).

The deployment model is as follows:

private cloud: the cloud infrastructure is only running for the organization. It may be managed by an organization or a third party and may be either an on-pre (on-pre) or an off-pre (off-pre).

Community cloud: the cloud infrastructure is shared by several organizations and supports specific communities with common points of interest (e.g., tasks, security requirements, policies, and compliance considerations). It may be managed by an organization or a third party, and may be an on-premise or an off-premise.

Public cloud: the cloud infrastructure is available to the general public or large business groups and is owned by the organization selling the cloud services.

Mixing cloud: cloud infrastructure is a composite of two or more clouds (private, community, or public) that remain unique entities, but are bound together by standardized or proprietary technology to enable portability of data and applications (e.g., cloud explosion for load balancing between clouds).

Cloud computing environments are service-oriented, focusing on stateless, low-coupling, modular, and semantic interoperability. At the heart of cloud computing is an infrastructure that includes a network of interconnected nodes.

Referring now to FIG. 1, an illustrative cloud computing environment 10 is depicted. As shown, cloud computing environment 10 includes one or more cloud computing nodes 12 with which in-premise computing devices 14a-e may communicate. The in-premise computing devices 14a-e are typically connected to an in-premise Local Area Network (LAN) 17, wide Area Network (WAN), or cellular, etc., to facilitate communications with the cloud computing nodes 12. For example, the in-house computing device may be a Personal Digital Assistant (PDA) or cellular telephone 14a, a desktop computer/terminal/server 14b, a laptop computer 14c, a vehicle 14d, or a security or access control panel 14e. Computing devices 14a-e may also be configured to communicate with each other or with various sensors 16. Communication with other computing devices 14a-e or sensors 16 may be wired or wireless, as desired. Communication may also take place over a Local Area Network (LAN), as depicted by arrow 17, if desired. Cloud computing nodes 12 may communicate with each other and/or be physically or virtually grouped (not shown) in one or more networks (e.g., private cloud, community cloud, public cloud, or hybrid cloud as described above) or in one or more combinations thereof. This allows the cloud computing environment 10 to provide infrastructure, platforms, and/or software as a service for which cloud users do not need to maintain or minimize resources at the local computing device level. It should be appreciated that the types of computing devices 14 shown in fig. 1 are for illustration only, and that computing nodes 12 and cloud computing environment 10 may communicate with any type of computerized device over any type of network and/or network-addressable connection (e.g., using a web browser).

Referring now to FIG. 2, a set of functional abstraction layers provided by cloud computing environment 10 (FIG. 1) is shown. It should be understood in advance that the components, layers, and functions shown in fig. 2 are intended to be illustrative only, and embodiments are not limited thereto. As depicted, the following layers and corresponding functions are provided.

The hardware and software layer 60 includes hardware and software components. Examples of hardware components include: a host 61; a server 62 based on RISC (reduced instruction set computer) architecture; a server 63; blade server 64; a storage device 65; and a network and networking component 66. In some embodiments, the software components include web application server software 67 and database software 68.

The virtualization layer 70 provides an abstraction layer from which the following examples of virtual entities may be provided: a virtual server 71; a virtual storage device 72; a virtual network 73 including a virtual private network; virtual applications and an operating system 74; and a virtual client 75.

In one example, management layer 80 may provide the functionality described below. Resource provider 81 provides dynamic procurement of computing resources and other resources for performing tasks within the cloud computing environment. Metering and pricing 82 provides cost tracking of resources as they are utilized in the cloud computing environment, as well as billing or invoices for using the resources. In one example, these resources may include application software permissions. Security provides authentication of cloud users and tasks, as well as protection of data and other resources. User portal 83 provides users and system administrators with access to the cloud computing environment. Service level management 84 provides cloud computing resource allocation and management such that the required service level is met. Service Level Agreement (SLA) planning and implementation 85 provides for the prearrangement and procurement of cloud computing resources for which future demands are anticipated according to the SLA.

Workload layer 90 provides an example of functionality that may utilize a cloud computing environment. Examples of workloads and functions that may be provided from this layer include: mapping and navigating 91; software development and lifecycle management 92; virtual classroom education delivery 93; a data analysis process 94; transaction processing 95; and message processing 96 across multiple communication systems.

In accordance with various embodiments of the present disclosure, methods, systems, and computer program products are provided for providing a security management solution with secure communications in a mixed mode cloud/on-premise environment. In one or more exemplary embodiments, disclosed herein is a simplified scheme for ensuring secure communication between an in-deployment application and a cloud-based application without significantly affecting or in-deployment configuration. In accordance with one or more embodiments, implementing a cloud computing hybrid mode cloud/on-premise security management solution may provide advantages such as secure communications, network hostname resolution, network transport layer security, authentication authorization, and permissions.

Referring to fig. 3, an embodiment of a processing system 100 for a given computing device 14 is shown that may be used to implement the teachings herein. In this embodiment, the system 100 has one or more central processing units (processors) 101a, 101b, 101c, etc. (collectively referred to as processors 101). In one embodiment, each processor 101 may comprise a Reduced Instruction Set Computer (RISC) microprocessor. The processor 101 is coupled to a system memory 114 and various other components via a system bus 113. Read Only Memory (ROM) 102 is coupled to system bus 113 and may include a basic input/output system (BIOS) that controls certain basic functions of system 100.

FIG. 3 also depicts input/output (I/O) adapter 107 and network adapter 106 coupled to system bus 113. I/O adapter 107 may be a Small Computer System Interface (SCSI) adapter in communication with hard disk 103 and/or tape storage drive 105 or any other similar component. I/O adapter 107, hard disk 103, and tape storage 105 are collectively referred to herein as mass storage 104. An operating system 120 for execution on the processing system 100 may be stored in the mass storage device 104. Network adapter 106 interconnects bus 113 with external network 116 enabling data processing system 100 to communicate with other such systems. A screen (e.g., a display monitor) 115 is connected to system bus 113 via display adapter 112, which may include a graphics adapter to improve the performance of graphics-intensive applications and video controllers. In one embodiment, adapters 107, 106, and 112 may be connected to one or more I/O buses connected to system bus 113 through an intermediate bus bridge (not shown). Suitable I/O buses for connecting peripheral devices such as hard disk controllers, network adapters, and graphics adapters typically include a common protocol, such as Peripheral Component Interconnect (PCI). Additional input/output devices are shown connected to the system bus 113 through the user interface adapter 108 and the display adapter 112. The keyboard 109, mouse 110, and speaker 111 are all interconnected to the bus 113 by a user interface adapter 108, which may include, for example, a super I/O chip that integrates multiple device adapters into a single integrated circuit.

Thus, as configured in FIG. 3, system 100 includes processing capabilities in the form of processor 101, storage capabilities including system memory 114 and mass storage device 104, input devices such as keyboard 109 and mouse 110, and output capabilities including speaker 111 and display 115. In one embodiment, the system memory 114 and a portion of the mass storage device 104 collectively store an operating system to coordinate the functions of the various components shown in FIG. 3. It should be understood that the components of the system described are for illustration purposes only. The described features and functions may be omitted, integrated or distributed as required in order to accommodate a particular application.

Turning now to fig. 4, a diagram of a partial hybrid mode cloud/on-premise security management system 200 and method that would allow an enterprise to seamlessly access cloud-based and on-premise applications in a secure manner after first authenticating for the cloud-based applications. In the figures, details of the interconnection and communication between cloud-based components (as depicted in fig. 2) and on-premise components are depicted. In an embodiment, the method includes providing cloud-based portions or functions 230 of a cloud application and initiator UI 234, user security permissions 232 for authorization management, secure communication network hostname resolution (DNS) 236 for an on-premise server, network transport layer security authentication, authorization, i.e., web-based single sign-on/federated identity provider, digital certificate generation, and permissions management 238. The in-deployment section 210 provides the enterprise with the ability to register unique names, capabilities, and network addresses using the cloud application described above, and the ability to verify credential information provided by the cloud application. The on-premise portion 210 of the system 200 includes one or more on-premise computing devices 14a-e (shown in FIG. 1), including but not limited to the processing system 100 or a portion thereof (as described with reference to FIG. 3). Each in-house computing device 14 may be a security panel, a control device, a mobile device, a server, or a cloud gateway, etc. As described with respect to fig. 1, the on-premise portion may also include sensors 16 and other devices 14 in communication with each other. An on-premise client, shown generally as 212, employs an on-premise computing device 214 to execute applications as needed. In a security or access control application, computing device 14 may be a security or access control panel or server, and sensors 16 may be various sensors that may be employed by the system. Such as motion sensors, occupancy sensors, door or window sensors, door readers, etc.

The embodiments described herein are directed access control security management solutions implemented in hybrid cloud/on-premise solutions with secure communications. In one or more exemplary embodiments, as disclosed herein, a simplified scheme is provided for ensuring secure communication between an in-deployment application and a cloud-based application without significant impact or in-deployment configuration. Advantageously, in one or more embodiments, the described methods eliminate the need for maintaining secure channels and dedicated interfaces and programming for secure communications with the cloud, allow tamper-proof permissions, centralized authorization management, and multi-tenancy, and enable a progressive path to a full cloud hosting solution.

Setup and initialization

Turning now also to fig. 5, a flow chart depicting a mixed-mode cloud/on-premise security management method 500 is provided. In an embodiment, initial setup or debugging is performed to establish authentication for cloud-based applications in order to facilitate implementation and allow enterprises to seamlessly access cloud-based and on-premise applications in a secure manner. That is, secure communications are established between the on-premise device and the cloud-based application. First, as depicted at process step 505, a new in-deployment device 214 (device, server, or cloud gateway) of the security system 200 is placed inside and powered on. At process step 510, the on-premise device 214 generates a set of encrypted asymmetric keys. These keys are generated using conventional well-known processes and are saved for later use in the process as part of authentication to facilitate establishing secure communications. The on-premise device 214 then connects to the cloud-based service 230 at the process certificate generation 238 as depicted by line 211 using a well-known name (e.g., "https:// registration. Security. Lenel. Com") provided by the security system 200, and transmits its network/IP address (e.g., '192.168.1.2') and its own firmware version and performance list, as depicted at process step 515. Typically, well-known names are programmed into the in-deployment device 214 at the time of manufacture. At process step 520, the cloud-based service credential generation process 238 generates a unique name/pseudonym for the on-premise device 214 within the namespace of the cloud system. (e.g. "14992568-5E09-48d2-BEB2-BE87186636FE. Security. Lenel. Com"). The cloud-based service 230 sets its DNS service 236 to resolve the name '14992568-5E09-48d2-BEB2-be87186636fe.security.lenel.com' to the network/IP address (e.g., '192.168.1.2') provided by the in-deployment device 214, as depicted at process step 525, which is then transmitted back to the in-deployment device 214, as depicted by line 237. The on-premise device 214 receives the unique name/pseudonym and then generates a digital Certificate Signing Request (CSR) of the unique name/pseudonym using the previously generated encryption key, as depicted at process step 530, and transmits the CSR to the cloud-based service 230, as depicted by line 215. At process step 535, the cloud-based service 230 at the credential generation service 238 automatically contacts a trusted third party Certification Authority (CA) 250 (e.g., entrust. Com) and requests a new digital credential using the provided CSR, as depicted by line 217. The CA issues certificates and transmits them back to the cloud-based service 230. The cloud-based service 230 then transmits the credentials to the in-deployment device 214. Finally, at process step 540, the on-premise device 214 is configured to use the new certificate. Now, the customer is configured to use the cloud-based service 230 through the web page to authorize the newly added in-deployment device 214 to become part of its security or access control system 200. At this point, the system is ready for use with a new on-premise device 214.

User connection

Turning now also to FIG. 6, customer interactions are described to achieve the desired functionality of providing security system 200. In fig. 6, a flow chart depicting a mixed-mode cloud/on-premise security management method 600 is provided. In an embodiment, as depicted at process step 605, the debugging process 500, as depicted in FIG. 5 and described above, is completed. Then, to initiate communication, an enterprise client seeking to use the security or access control system 200 uses an Internet web browser 216 (shown as an in-premise client) or application program or even another computing device 14a-e on his computer/tablet/phone/Internet-enabled device to connect to the well-known web address identified above to gain access and begin using the security system 200 (e.g., "https:// customer. Security. Lenel. Com"), as shown by line 221. The cloud-based system 230 negotiates TLS protected sessions at the application and initiator 234 and the client browser 216 to verify identity and secure communications. The customer then uses their username and password (or other/additional authentication means) to prove their identity to the cloud-based system 230 at the user security clearance service 232 as shown by line 213, as part of a standard login, where the cloud-based system 230 verifies the provided credentials and accepts the connection if the credentials are valid, as depicted at process step 610. At this point, communication between the client web browser 216 and the cloud-based application 230 has been established, and the authentication of the user and the cloud-based application 230 performed may rely on providing information to the user through the client web browser 216, as depicted at process step 615. The client can now use the application 234 of the cloud-based system 230 to perform any actions that they are authorized to perform.

In an embodiment, if a customer wishes to perform actions that require interaction with the on-premise system 210, the following additional steps are taken to establish authentication and secure communication with the on-premise device 214. Turning now also to fig. 7, a flow chart is depicted, the Liu Liucheng chart depicting a process by which a user connects to the in-deployment device 214 through the web browser 216. At process step 705, the user attempts to connect to the in-premise device 214 using the client web browser 216 as described above and depicted again at line 221 to fulfill the user request. The cloud-based system 230 gathers rights/security claims/other data associated with authenticated users (as described above in process 600 with reference to fig. 6) and related to the on-premise system 210, cryptographically signs them and transmits them to the client browser 216, as depicted by line 225 and as shown at process step 710. Optionally, the client browser 216 may store the information as an HTTP cookie 227 for subsequent use, as depicted at process step 715.

Continuing with process step 720, cloud-based system 230 at initiator service 234 redirects client browser 216 to a URL that includes the name registered during the setup (as described above with reference to fig. 5 and shown by line 229). (e.g. 'https://14992568-5E09-48d2-BEB2-BE87186636FE. Security. Lenel. Com/on-premises-app/'). It should be noted that cloud-based system 230 may optionally include rights/security claims/other data as URL parameters or HTTP headers. In addition, the data may be cryptographically signed. Finally, the client browser 216 will now attempt to connect to the registration name, as depicted at process step 725. To establish a connection, the client browser 216 needs to resolve the name back to the IP address, if the client uses the name for the first time, domain Name System (DNS) resolution is needed. The following is a standard (rfc 1034 and rfc 1035) sequence of steps, e.g., (https:// www.ietf.org/procedures/42/slides/nat-heffeman-slides-98 aug/slide 001. Htm). Client browser 216 contacts local network on-premise DNS server 218. The on-premise DNS server 218 sends the request to a DNS root server (https:// www.iana.org/domains/root/servers) (not shown). The root DNS server references the in-house DNS server 218 to DNS server 236 of the cloud-based system, as depicted by line 231. The on-premise DNS server 218 sends a request to the DNS server 236 of the cloud-based system. DNS 236 servers of the cloud-based system reply to on-premise DNS server 218 using the IP address of on-premise device 214. The on-premise DNS server 218 then replies to the client browser 216 with the completed resolution IP address. Turning now to process step 730, once the address is resolved, the client browser 216 connects to the in-deployment device 214 and begins negotiating a TLS session to secure future transmissions. The in-house deployment device 214 participates in the negotiation and transmits the certificate issued to it to the client browser 216 during the setup as described above with reference to fig. 5, as indicated by line 233. The client browser 216 may then cryptographically verify the certificate. Once the connection is established, the client browser 216 communicates URL parameters and/or headers (commonly referred to as claims/permissions) previously provided by the cloud-based system 230 to the in-deployment device 214, as depicted at process step 735. Advantageously, the on-premise system device 214 may now optionally request access to temporarily stored data (e.g., information associated with the user associated with the on-premise device, optionally stored or stored as an HTTP cookie) and the client browser 216 will provide it because they share the same superior subdomain.

Continuing with process step 740, the on-premise application cryptographically verifies the data/claims/rights from the authoritative source (cloud-based system 230). The user then requests the desired action of the in-deployment device 214, and if the rights/statements (previously provided) allow execution, the in-deployment device 214 of the security system 200 performs the requested action. Optionally, the client web browser 216 stores the results/data in the cookie 227 to access the cloud-based server 230 at a later time, as depicted at process step 745. The user may continue to use the in-house device 214 or may be redirected back to the cloud-based system address. Advantageously, the next time a user operating through the client web browser 216 needs to access the in-deployment device 214, some of the above lookups or security negotiations may be shortened or skipped according to relevant criteria due to DNS resolution result caching or TLS session recovery.

While the disclosure has been described in detail in connection with only a limited number of embodiments, it should be readily understood that the disclosure is not limited to such disclosed embodiments. Rather, the disclosure can be modified to incorporate any number of variations, alterations, substitutions, combinations, sub-combinations or equivalent arrangements not heretofore described, but which are commensurate with the scope of the disclosure. Further, while various embodiments of the present disclosure have been described, it is to be understood that aspects of the present disclosure may include only some of the described embodiments.

The following definitions and abbreviations are used to interpret the claims and the specification. The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. The terms "a," "an," "at least one," and "one or more" may be understood to include any integer greater than or equal to one, i.e., one, two, three, four, etc. The term "plurality" may be understood to include any integer greater than or equal to two, i.e., two, three, four, five, etc. The term "coupled" may include both indirect "coupling" and direct "coupling".

It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. The term "exemplary" is used herein to mean "serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs.

References in the specification to "one embodiment," "an example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may or may not include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Furthermore, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.

The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed. The description has been presented for purposes of illustration and description, but is not intended to be exhaustive or limited to the embodiments in the form disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope of the disclosure. The embodiments were chosen and described in order to best explain the principles of the disclosure and the practical application, and to enable others of ordinary skill in the art to understand the various embodiments with various modifications as are suited to the particular use contemplated.

These embodiments may be any possible level of technical detail integration systems, methods, and/or computer program products. The computer program product may include one (or more) computer-readable storage media having computer-readable program instructions thereon for causing a processor to perform aspects of the present disclosure.

The computer readable storage medium may be a tangible device that can retain and store instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. A non-exhaustive list of more specific examples of the computer readable storage medium would include the following: portable computer diskette, hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static Random Access Memory (SRAM), portable compact disc read-only memory (CD-ROM), digital Versatile Disc (DVD), memory stick, floppy disk, mechanical coding means such as punch cards or bump structures in the grooves on which instructions are recorded, and any suitable combination of the foregoing. Computer-readable storage media, as used herein, should not be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical pulses through fiber optic cables), or electrical signals transmitted through wires.

The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a corresponding computing/processing device or to an external computer or external storage device over a network (e.g., the internet, a local area network, a wide area network, and/or a wireless network). The network may include copper transmission cables, optical transmission fibers, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network adapter card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium within the corresponding computing/processing device.

The computer readable program instructions for performing the operations of the present disclosure may be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, configuration data for an integrated circuit, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, electronic circuitry, including, for example, programmable logic circuitry, field Programmable Gate Array (FPGA), or Programmable Logic Array (PLA), can execute computer-readable program instructions by personalizing the electronic circuitry with state information for the computer-readable program instructions in order to perform aspects of the present disclosure.

Aspects in accordance with one or more embodiments are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer readable program instructions.

These computer readable program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable storage medium having the instructions stored therein includes an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.

The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

The description of the various embodiments has been presented for purposes of illustration and is not intended to be exhaustive or limited to the disclosed embodiments. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application of the technology found in the marketplace or the technical improvement, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Accordingly, the disclosure is not to be seen as limited by the foregoing description, but is only limited by the scope of the appended claims.

Claims

1. A method for mixed mode cloud/on-premise secure communications, the method comprising:

debugging the internal deployment device; wherein the debugging comprises:

a set of encryption keys is generated and,

connecting to a cloud-based service from a first network address using a first name, and transmitting in-deployment device information to the cloud-based service,

generating a unique name/pseudonym for the on-premise device at the cloud-based service,

resolving the unique name/pseudonym to a network address of the cloud-based service using an accessible DNS service, and transmitting the unique name to the on-premise device,

Generating a Certificate Signing Request (CSR) using the on-premise device based on the unique name/pseudonym of the encryption key, and transmitting the CSR to the cloud-based service,

requesting a digital certificate using the CSR from a trusted Certificate Authority (CA), and receiving the digital certificate once the CA issues the digital certificate and transmitting the digital certificate to the in-premise device, and

configuring the on-premise device to use the digital certificate;

connecting to a web address through a client web browser using the first name and login credentials of the user; and

verifying the login credentials of the user at the cloud-based service and establishing communication with the client web browser if the login credentials are authenticated and allowing communication between the client web browser and the cloud-based service.

2. The method of claim 1, further comprising:

attempting to connect to an on-premise device using the client web browser to fulfill a user request;

transmitting the information associated with the user related to the on-premise device from the cloud-based service to the client web browser in an encrypted manner;

Redirecting the client web browser to a network address associated with the unique name/pseudonym employed during the debugging;

attempting to connect to the unique name/pseudonym using the client web browser and performing domain name resolution (DNS) to resolve and identify the IP address of the on-premise device if the IP address is unknown;

connecting to the resolved IP address using the client browser and transmitting information associated with the user related to the on-premise device;

transmitting the digital certificate issued to an on-premise device during the debugging to the client web browser and cryptographically verifying the digital certificate using the client web browser; and

if data/claim/rights allow, then using an on-premise device to cryptographically verify data/claim/rights from the information associated with the user related to the on-premise device and allow the user request.

3. The method of claim 2, further comprising storing information associated with the user related to the on-premise device in the client browser.

4. The method of claim 3, further comprising the on-premise device requesting the information associated with the user related to the on-premise device from the client browser.

5. A method according to claim 2 or 3, wherein the information associated with the user related to the on-premise device comprises at least one of: rights, security claims, license characteristics information, user name, expiration date, and server data.

6. The method of claim 5, wherein the information is provided as a URL parameter or HTTP header.

7. The method of claim 2, further comprising generating a result based on the user request.

8. The method of claim 7, further comprising storing the result as an HTTP cookie in the client browser.

9. The method of claim 1, wherein the on-premise device is part of at least one of: a security system, an access control system, a fire suppression system, or an HVAC system or an elevator control system.

10. The method of claim 1, wherein the first name is preprogrammed into the on-premise device.

11. The method of claim 1, wherein the certification authority is a stand-alone third party.

12. The method of claim 1, wherein the unique name is unique to a service provider.

13. A system for mixed mode cloud/on-premise secure communications, the system comprising:

an in-premise device that is commissioned to provide secure communication with the cloud-based system; wherein the debugging comprises:

wherein the on-premise device generates a set of encryption keys,

a cloud-based service connects to a first network address using a first name and transmits on-premise device information to the cloud-based service, the cloud-based service generating a unique name/pseudonym for the on-premise device,

a publicly available DNS resolves the unique name/pseudonym to a network address of the cloud-based service, and transmits the unique name to the on-premise device,

wherein the on-premise device generates a Certificate Signing Request (CSR) based on the unique name/pseudonym of the encryption key, and transmits the CSR to the cloud-based service,

wherein the cloud-based service requests a digital certificate using the CSR from a trusted Certificate Authority (CA) and receives the digital certificate once the CA issues the digital certificate and transmits the digital certificate to the in-premise device, and

Wherein the on-premise device is configured to use the digital certificate;

the client web browser uses the first name and login credentials of the user to connect to a web address; and

wherein the cloud-based service verifies the login credentials of the user and establishes communication with the client web browser if the login credentials are authenticated and allows communication between the client web browser and the cloud-based service.

14. The system of claim 13, further comprising:

the client web browser attempting to connect to an on-premise device to fulfill a user request;

the cloud-based service cryptographically transmitting the information associated with the user related to the on-premise device to the on-premise client browser;

wherein the client web browser is redirected to a network address associated with the unique name/pseudonym employed during the debugging;

the client web browser attempting to connect to the unique name/pseudonym and performing domain name resolution (DNS) to resolve and identify the IP address of the on-premise device if the IP address is unknown;

the on-premise device transmitting the digital certificate issued during the debugging to the client web browser and cryptographically verifying the digital certificate using the client web browser; and

if data/claims/rights allow, the on-premise device cryptographically verifies data/claims/rights from the information associated with the user related to the on-premise device and allows the user to request.

15. The system of claim 14, further comprising the client browser storing information associated with the user related to the on-premise.

16. The system of claim 15, further comprising the on-premise device requesting the information associated with the user related to the on-premise device from the client browser.

17. The system of claim 14 or 15, wherein the information associated with the user related to the on-premise device includes at least one of: rights, security claims, and license features information, user name, expiration date, and server data.

18. The system of claim 17, wherein the information is provided as a URL parameter or HTTP header.

19. The system of claim 14, further comprising the on-premise device generating a result based on the user request.

20. The system of claim 19, further comprising the client browser storing the results browser as an http cookie.

21. The system of claim 13, wherein the on-premise device is part of at least one of: a security system, an access control system, a fire suppression system, or an HVAC system or an elevator control system.

22. The system of claim 13, wherein the first name is preprogrammed into the on-premise device.

23. The system of claim 13, wherein the certification authority is a separate third party.

24. The system of claim 13, wherein the unique name is unique to a service provider.

25. A computer-readable storage medium configured for mixed-mode cloud/on-premise secure communications, the computer-readable storage medium having program instructions embodied therewith, the program instructions executable by one or more processors to cause the processors to:

Debugging the internal deployment device; wherein the debugging comprises:

a set of encryption keys is generated and,

resolving the unique name/pseudonym to a network address of the cloud-based service using a publicly accessible cloud-based DNS, and transmitting the unique name to the on-premise device,

configuring the on-premise device to use the digital certificate;

26. The computer-readable storage medium of claim 25, having additional program instructions embodied therewith, the program instructions executable by the one or more processors to cause the processors to:

Transmitting the digital certificate issued to the on-premise device during the debugging to the client web browser and cryptographically verifying the digital certificate using the client web browser; and